Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: get ns labels in the cluster mode when using the CLI #10348

Merged
merged 8 commits into from
Jun 4, 2024
Merged

fix: get ns labels in the cluster mode when using the CLI #10348

merged 8 commits into from
Jun 4, 2024

Conversation

MariamFahmy98
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 commented May 30, 2024
edited
Loading

Explanation

This PR gets the namespace labels for the resource in the CLI when it has the ability to connect to the cluster (i.e. --cluster flag is used)

Related issue

Closes #10260

Milestone of this PR

/milestone 1.12.4

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.3 milestone May 30, 2024
@MariamFahmy98 MariamFahmy98 force-pushed the fix-10260 branch 2 times, most recently from 94e27b8 to 5d298e1 Compare May 30, 2024 13:42
realshuting
realshuting previously approved these changes May 30, 2024
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented May 30, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Project coverage is 10.22%. Comparing base (0736439) to head (4ff6818).

Current head 4ff6818 differs from pull request most recent head d041ec2

Please upload reports for the commit d041ec2 to get more accurate results.

Files Patch % Lines
.../cli/kubectl-kyverno/processor/policy_processor.go 0.00% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10348      +/-   ##
==========================================
+ Coverage   10.03%   10.22%   +0.19%     
==========================================
  Files        1038     1031       -7     
  Lines       93760    91915    -1845     
==========================================
- Hits         9405     9397       -8     
+ Misses      83323    81489    -1834     
+ Partials     1032     1029       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@MariamFahmy98
chore: fix chainsaw test
1879fb7 
Signed-off-by: Mariam Fahmy <[email protected]>
realshuting
realshuting reviewed May 31, 2024
View reviewed changes
.vscode/launch.json Outdated Show resolved Hide resolved
@realshuting realshuting enabled auto-merge (squash) June 1, 2024 10:39
@realshuting
Copy link
Member

/cherry-pick release-1.12

auto-merge was automatically disabled June 4, 2024 07:09

Base branch was modified

@MariamFahmy98 MariamFahmy98 enabled auto-merge (squash) June 4, 2024 10:07
@MariamFahmy98 MariamFahmy98 merged commit c391fba into kyverno:main Jun 4, 2024
248 of 249 checks passed
@gcp-cherry-pick-bot GCP Cherry-Pick Bot
Copy link

Cherry-pick failed with Merge error c391fba64c72b44c2ab3665ff56414c03f7ba502 into temp-cherry-pick-3e3c47-release-1.12

@BrewTestBot BrewTestBot mentioned this pull request Jun 17, 2024
Merged
@anushkamittal2001
Copy link
Contributor

anushkamittal2001 commented Jun 26, 2024
edited
Loading

@MariamFahmy98

with main branch, I built the cli and checked with the resources you have used in test:
policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-non-root-user
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: run-as-non-root-user
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: >-
          Running the container as root user is not allowed.
        pattern:
          spec:
            =(securityContext):
              =(runAsUser): ">0"
            =(ephemeralContainers):
              - =(securityContext):
                  =(runAsUser): ">0"
            =(initContainers):
              - =(securityContext):
                  =(runAsUser): ">0"
            containers:
              - =(securityContext):
                  =(runAsUser): ">0"

polex

apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
  name: exception
spec:
  background: false
  exceptions:
  - policyName: require-run-as-non-root-user
    ruleNames:
    - run-as-non-root-user
  match:
    any:
    - resources:
        namespaceSelector:
          matchExpressions:
          - key: kyverno.tess.io/mutateresource
            operator: In
            values: 
            - "false"
        kinds:
        - Pod
        operations:
        - UPDATE
        - CREATE

pod

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: ns1
spec:
  containers:
  - name: nginx
    image: nginx:latest
    # Grant necessary permissions using SecurityContext (optional)
    securityContext:
      runAsUser: 0
    resources:
      limits:
        cpu: "1" 
        memory: "1Gi"

ns

apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2024-06-26T08:48:48Z"
  labels:
    kubernetes.io/metadata.name: ns-1
    kyverno.tess.io/mutateresource: "false"
  name: ns1
  resourceVersion: "19934"
  uid: 6a83dbf6-c10c-43cc-8687-f0ccbe74056f
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

output:

kyverno ) ./cmd/cli/kubectl-kyverno/kubectl-kyverno apply --namespace ns1 /Users/nirmata/Desktop/n4k-license-manager/polex.yaml -p /Users/nirmata/Desktop/n4k-license-manager/pol.yaml --cluster
apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
  creationTimestamp: null
  name: merged
results:
- message: 'validation error: Running the container as root user is not allowed. rule
    run-as-non-root-user failed at path /spec/containers/0/securityContext/runAsUser/'
  policy: require-run-as-non-root-user
  resources:
  - apiVersion: v1
    kind: Pod
    name: test-pod
    namespace: ns1
    resourceVersion: "468"
    uid: e4ac39c2-0558-45dd-9217-60bdcaa7238a
  result: fail
  rule: run-as-non-root-user
  scored: true
  source: kyverno
  timestamp:
    nanos: 0
    seconds: 1719392086
summary:
  error: 0
  fail: 1
  pass: 0
  skip: 0
  warn: 0

Am I missing something?

@MariamFahmy98 MariamFahmy98 deleted the fix-10260 branch June 26, 2024 10:49
@MariamFahmy98
Copy link
Contributor Author

@MariamFahmy98

with main branch, I built the cli and checked with the resources you have used in test: policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-non-root-user
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: run-as-non-root-user
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: >-
          Running the container as root user is not allowed.
        pattern:
          spec:
            =(securityContext):
              =(runAsUser): ">0"
            =(ephemeralContainers):
              - =(securityContext):
                  =(runAsUser): ">0"
            =(initContainers):
              - =(securityContext):
                  =(runAsUser): ">0"
            containers:
              - =(securityContext):
                  =(runAsUser): ">0"

polex

apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
  name: exception
spec:
  background: false
  exceptions:
  - policyName: require-run-as-non-root-user
    ruleNames:
    - run-as-non-root-user
  match:
    any:
    - resources:
        namespaceSelector:
          matchExpressions:
          - key: kyverno.tess.io/mutateresource
            operator: In
            values: 
            - "false"
        kinds:
        - Pod
        operations:
        - UPDATE
        - CREATE

pod

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: ns1
spec:
  containers:
  - name: nginx
    image: nginx:latest
    # Grant necessary permissions using SecurityContext (optional)
    securityContext:
      runAsUser: 0
    resources:
      limits:
        cpu: "1" 
        memory: "1Gi"

ns

apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2024-06-26T08:48:48Z"
  labels:
    kubernetes.io/metadata.name: ns-1
    kyverno.tess.io/mutateresource: "false"
  name: ns1
  resourceVersion: "19934"
  uid: 6a83dbf6-c10c-43cc-8687-f0ccbe74056f
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

output:

kyverno ) ./cmd/cli/kubectl-kyverno/kubectl-kyverno apply --namespace ns1 /Users/nirmata/Desktop/n4k-license-manager/polex.yaml -p /Users/nirmata/Desktop/n4k-license-manager/pol.yaml --cluster
apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
  creationTimestamp: null
  name: merged
results:
- message: 'validation error: Running the container as root user is not allowed. rule
    run-as-non-root-user failed at path /spec/containers/0/securityContext/runAsUser/'
  policy: require-run-as-non-root-user
  resources:
  - apiVersion: v1
    kind: Pod
    name: test-pod
    namespace: ns1
    resourceVersion: "468"
    uid: e4ac39c2-0558-45dd-9217-60bdcaa7238a
  result: fail
  rule: run-as-non-root-user
  scored: true
  source: kyverno
  timestamp:
    nanos: 0
    seconds: 1719392086
summary:
  error: 0
  fail: 1
  pass: 0
  skip: 0
  warn: 0

Am I missing something?

You have to pass exceptions through the --exception flag. The command would be as follows:

./cmd/cli/kubectl-kyverno/kubectl-kyverno apply policy.yaml --exception exception.yaml --cluster --namespace ns-1 -p

The output is as follows:

apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
  creationTimestamp: null
  name: merged
results:
- message: rule skipped due to policy exception exception
  policy: require-run-as-non-root-user
  properties:
    exception: exception
  resources:
  - apiVersion: v1
    kind: Pod
    name: test-pod
    namespace: ns-1
    resourceVersion: "1288"
    uid: 1bd8e585-179b-44ac-b66f-45855fe591a3
  result: skip
  rule: run-as-non-root-user
  scored: true
  source: kyverno
  timestamp:
    nanos: 0
    seconds: 1719399064
summary:
  error: 0
  fail: 0
  pass: 0
  skip: 1
  warn: 0

@anushkamittal2001
Copy link
Contributor

I see in the release-1.12 branch it isnt working, I understand this wasnt cherrypicked in 1.12.4?

@MariamFahmy98 MariamFahmy98 mentioned this pull request Jun 26, 2024
Merged
@realshuting realshuting added the cherry-pick-completed The PR was cherry-picked (or merged) to required release branches label Jun 27, 2024
jslivka pushed a commit to jslivka/kyverno-hpa that referenced this pull request Jul 2, 2024
@MariamFahmy98 @realshuting
fix: get ns labels in the cluster mode when using the CLI (kyverno#10348
5678a60 
)

* fix: get ns labels in the cluster mode when using the CLI

Signed-off-by: Mariam Fahmy <[email protected]>

* chore: fix chainsaw test

Signed-off-by: Mariam Fahmy <[email protected]>

* Update .vscode/launch.json

Co-authored-by: shuting <[email protected]>
Signed-off-by: Mariam Fahmy <[email protected]>

---------

Signed-off-by: Mariam Fahmy <[email protected]>
Signed-off-by: Mariam Fahmy <[email protected]>
Co-authored-by: shuting <[email protected]>
MariamFahmy98 added a commit that referenced this pull request Jul 3, 2024
@MariamFahmy98
fix: get ns labels in the cluster mode when using the CLI (cherry-pick
b5946eb 
…#10348) (#10549)

* fix: get ns labels in the cluster mode when using the CLI

Signed-off-by: Mariam Fahmy <[email protected]>

* chore: fix chainsaw test

Signed-off-by: Mariam Fahmy <[email protected]>

---------

Signed-off-by: Mariam Fahmy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

@chipzoller chipzoller Awaiting requested review from chipzoller

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@KhaledEmaraDev KhaledEmaraDev Awaiting requested review from KhaledEmaraDev

Assignees
No one assigned
Labels
cherry-pick-completed The PR was cherry-picked (or merged) to required release branches cherry-pick-required milestone 1.12.5
Projects
None yet
Milestone
Kyverno Release 1.12.5
Development

Successfully merging this pull request may close these issues.

Policy exception with ns selector not applied to resources [Bug] [CLI]
4 participants
@MariamFahmy98 @realshuting @anushkamittal2001 @vishal-chdhry